[go: up one dir, main page]

WO2025005456A1 - Method and device of multimedia playback for virtual system - Google Patents

Method and device of multimedia playback for virtual system Download PDF

Info

Publication number
WO2025005456A1
WO2025005456A1 PCT/KR2024/006501 KR2024006501W WO2025005456A1 WO 2025005456 A1 WO2025005456 A1 WO 2025005456A1 KR 2024006501 W KR2024006501 W KR 2024006501W WO 2025005456 A1 WO2025005456 A1 WO 2025005456A1
Authority
WO
WIPO (PCT)
Prior art keywords
host system
multimedia data
encrypted
data
encrypted multimedia
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Pending
Application number
PCT/KR2024/006501
Other languages
French (fr)
Inventor
Ran Liu
Chuanji TANG
Zuolong WANG
Ye Sun
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Samsung Electronics Co Ltd
Original Assignee
Samsung Electronics Co Ltd
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Samsung Electronics Co Ltd filed Critical Samsung Electronics Co Ltd
Publication of WO2025005456A1 publication Critical patent/WO2025005456A1/en
Priority to US19/297,450 priority Critical patent/US20250373452A1/en
Anticipated expiration legal-status Critical
Pending legal-status Critical Current

Links

Images

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/08Network architectures or network communication protocols for network security for authentication of entities
    • H04L63/0823Network architectures or network communication protocols for network security for authentication of entities using certificates
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04NPICTORIAL COMMUNICATION, e.g. TELEVISION
    • H04N21/00Selective content distribution, e.g. interactive television or video on demand [VOD]
    • H04N21/60Network structure or processes for video distribution between server and client or between remote clients; Control signalling between clients, server and network components; Transmission of management data between server and client, e.g. sending from server to client commands for recording incoming content stream; Communication details between server and client 
    • H04N21/63Control signaling related to video distribution between client, server and network components; Network processes for video distribution between server and clients or between remote clients, e.g. transmitting basic layer and enhancement layers over different transmission paths, setting up a peer-to-peer communication via Internet between remote STB's; Communication protocols; Addressing
    • H04N21/647Control signaling between network components and server or clients; Network processes for video distribution between server and clients, e.g. controlling the quality of the video stream, by dropping packets, protecting content from unauthorised alteration within the network, monitoring of network load, bridging between two different networks, e.g. between IP and wireless
    • H04N21/64715Protecting content from unauthorized alteration within the network
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L9/00Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
    • H04L9/32Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials
    • H04L9/3263Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials involving certificates, e.g. public key certificate [PKC] or attribute certificate [AC]; Public key infrastructure [PKI] arrangements
    • H04L9/3268Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials involving certificates, e.g. public key certificate [PKC] or attribute certificate [AC]; Public key infrastructure [PKI] arrangements using certificate validation, registration, distribution or revocation, e.g. certificate revocation list [CRL]
    • GPHYSICS
    • G06COMPUTING OR CALCULATING; COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F21/00Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F21/10Protecting distributed programs or content, e.g. vending or licensing of copyrighted material ; Digital rights management [DRM]
    • GPHYSICS
    • G06COMPUTING OR CALCULATING; COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F21/00Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F21/30Authentication, i.e. establishing the identity or authorisation of security principals
    • G06F21/44Program or device authentication
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/04Network architectures or network communication protocols for network security for providing a confidential data exchange among entities communicating through data packet networks
    • H04L63/0428Network architectures or network communication protocols for network security for providing a confidential data exchange among entities communicating through data packet networks wherein the data content is protected, e.g. by encrypting or encapsulating the payload
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/10Network architectures or network communication protocols for network security for controlling access to devices or network resources
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04NPICTORIAL COMMUNICATION, e.g. TELEVISION
    • H04N21/00Selective content distribution, e.g. interactive television or video on demand [VOD]
    • H04N21/20Servers specifically adapted for the distribution of content, e.g. VOD servers; Operations thereof
    • H04N21/23Processing of content or additional data; Elementary server operations; Server middleware
    • H04N21/234Processing of video elementary streams, e.g. splicing of video streams or manipulating encoded video stream scene graphs
    • H04N21/2347Processing of video elementary streams, e.g. splicing of video streams or manipulating encoded video stream scene graphs involving video stream encryption
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04NPICTORIAL COMMUNICATION, e.g. TELEVISION
    • H04N21/00Selective content distribution, e.g. interactive television or video on demand [VOD]
    • H04N21/20Servers specifically adapted for the distribution of content, e.g. VOD servers; Operations thereof
    • H04N21/25Management operations performed by the server for facilitating the content distribution or administrating data related to end-users or client devices, e.g. end-user or client device authentication, learning user preferences for recommending movies
    • H04N21/254Management at additional data server, e.g. shopping server, rights management server
    • H04N21/2541Rights Management
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04NPICTORIAL COMMUNICATION, e.g. TELEVISION
    • H04N21/00Selective content distribution, e.g. interactive television or video on demand [VOD]
    • H04N21/20Servers specifically adapted for the distribution of content, e.g. VOD servers; Operations thereof
    • H04N21/25Management operations performed by the server for facilitating the content distribution or administrating data related to end-users or client devices, e.g. end-user or client device authentication, learning user preferences for recommending movies
    • H04N21/266Channel or content management, e.g. generation and management of keys and entitlement messages in a conditional access system, merging a VOD unicast channel into a multicast channel
    • H04N21/26613Channel or content management, e.g. generation and management of keys and entitlement messages in a conditional access system, merging a VOD unicast channel into a multicast channel for generating or managing keys in general
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04NPICTORIAL COMMUNICATION, e.g. TELEVISION
    • H04N21/00Selective content distribution, e.g. interactive television or video on demand [VOD]
    • H04N21/40Client devices specifically adapted for the reception of or interaction with content, e.g. set-top-box [STB]; Operations thereof
    • H04N21/43Processing of content or additional data, e.g. demultiplexing additional data from a digital video stream; Elementary client operations, e.g. monitoring of home network or synchronising decoder's clock; Client middleware
    • H04N21/44Processing of video elementary streams, e.g. splicing a video clip retrieved from local storage with an incoming video stream or rendering scenes according to encoded video stream scene graphs
    • H04N21/4405Processing of video elementary streams, e.g. splicing a video clip retrieved from local storage with an incoming video stream or rendering scenes according to encoded video stream scene graphs involving video stream decryption
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04NPICTORIAL COMMUNICATION, e.g. TELEVISION
    • H04N21/00Selective content distribution, e.g. interactive television or video on demand [VOD]
    • H04N21/40Client devices specifically adapted for the reception of or interaction with content, e.g. set-top-box [STB]; Operations thereof
    • H04N21/45Management operations performed by the client for facilitating the reception of or the interaction with the content or administrating data related to the end-user or to the client device itself, e.g. learning user preferences for recommending movies, resolving scheduling conflicts
    • H04N21/462Content or additional data management, e.g. creating a master electronic program guide from data received from the Internet and a Head-end, controlling the complexity of a video stream by scaling the resolution or bit-rate based on the client capabilities
    • H04N21/4627Rights management associated to the content
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04NPICTORIAL COMMUNICATION, e.g. TELEVISION
    • H04N21/00Selective content distribution, e.g. interactive television or video on demand [VOD]
    • H04N21/80Generation or processing of content or additional data by content creator independently of the distribution process; Content per se
    • H04N21/83Generation or processing of protective or descriptive data associated with content; Content structuring
    • H04N21/835Generation of protective data, e.g. certificates

Definitions

  • the present disclosure relates to a computer technology field. More particularly, the present disclosure relates to a method and a device of multimedia playback for a virtual system, and an operation method and a device performed by a host system.
  • Virtualization technology has gradually become the focus of people's attention and is receiving more and more attention and importance. Virtualization technology is able to run another operating system and its application scope in one operating system, which can greatly expand the application scenarios of current operating systems.
  • DRM digital rights management
  • Exemplary embodiments of the present disclosure are to provide a method and a device of multimedia playback for a virtual system, and an operation method and device performed by a host system, so as to increase the strength of data protection, thereby meeting the requirements of high copyright multimedia streaming.
  • the method and device of multimedia playback for a virtual system includes: establishing a secure communication channel between the virtual system and a host system; acquiring a license file for acquiring encrypted multimedia data in a case that an application in the virtual system requesting access to the host system passes authentication of the host system; acquiring the encrypted multimedia data based on the license file; sending the encrypted multimedia data to the host system for decryption based on the secure communication channel; and acquiring decrypted multimedia data obtained by decryption by the host system, and playing back the decrypted multimedia data.
  • the acquiring of the license file for acquiring the encrypted multimedia data in the case that the application in the virtual system requesting access to the host system passes the authentication of the host system may include: in response to the application requesting access to the host system, determining, by the host system, whether the application is authorized for access by the host system; in a case of determining that the application is authorized for the access by the host system, acquiring a certificate for authenticating the application by the host system; acquiring the license file, in the case that the host system is determined to be authenticated based on the certificate.
  • the acquiring of the certificate may include: invoking a second digital rights management service of the host system by a first digital rights management service of the virtual system to acquire the certificate.
  • the sending of the encrypted multimedia data to the host system for decryption based on the secure communication channel may include: sending the encrypted multimedia data to the host system by means of data pointer address encryption in the secure communication channel.
  • the invoking of the second digital rights management service of the host system by the first digital rights management service of the virtual system to acquire the certificate may include: downloading the certificate from an authentication server for authentication by invoking the second digital rights management service of the host system by the first digital rights management service of the virtual system, wherein the downloaded certificate is stored in the host system.
  • the acquiring of the license file may include: invoking the second digital rights management service by the first digital rights management service to generate a license request message, and sending the license request message to a license server to obtain the license file.
  • the sending of the encrypted multimedia data to the host system for decryption based on the secure communication channel may include: determining whether to decrypt the encrypted multimedia data in a trusted execution environment, according to requirements of a usage scenario of the application; sending the encrypted multimedia data to the host system for decrypting the encrypted multimedia data in the trusted execution environment of the host system, when it is determined to decrypt the encrypted multimedia data in the trusted execution environment.
  • the method may further include: sending a handle key and/or a data pointer address for decrypting the multimedia data to the host system based on the secure communication channel, wherein the handle key and/or the data pointer address for decrypting the multimedia data is in an encrypted state.
  • the sending of the encrypted multimedia data to the host system by means of the data pointer address encryption may include: processing an original value and a key of the data pointer address of the encrypted multimedia data by an encryption algorithm to obtain a cipher text; inserting a first verification code at a predetermined position of the cipher text to obtain a processed cipher text; sending the processed cipher text to the host system, wherein, when decrypting the encrypted multimedia data in the trusted execution environment of the host system, the host system decrypts the data pointer address of the encrypted multimedia data by the decryption algorithm to obtain a second verification code; matches the second verification code with the first verification code; and obtains the data pointer address of the encrypted multimedia data in a case of a successful match between the second verification code and the first verification code.
  • an operation method performed by a host system includes: establishing a secure communication channel between the host system and a virtual system; in response to receiving an access request from an application in the virtual system, authenticating the application; receiving the encrypted multimedia data based on the secure communication channel in a case that the application is authenticated; decrypting the encrypted multimedia data.
  • the authenticating of the application may include: determining whether the application is authorized to make an access; in a case of determining that the application is authorized to make an access, acquiring a certificate for authenticating the application, wherein the virtual system acquires a license file for acquiring the encrypted multimedia data based on the certificate, acquires the encrypted multimedia data based on the license file, and sends the encrypted multimedia data to the host system.
  • the decrypting of the encrypted multimedia data may include: decrypting the encrypted multimedia data in a trusted execution environment.
  • the decrypting of the encrypted multimedia data in a trusted execution environment may include: decrypting a data pointer address of the encrypted multimedia data by a decryption algorithm to obtain a second verification code; matching the second verification code with a first verification code; acquiring the data pointer address of the encrypted multimedia data in a case of successful matching of the second verification code with the first verification code.
  • the method may further include: receiving a handle key and/or a data pointer address for decrypting the multimedia data based on the secure communication channel, wherein the handle key and/or the data pointer address for decrypting the multimedia data is in an encrypted state.
  • the device of multimedia playback for a virtual system includes: a channel establishing unit configured to establish a secure communication channel between the virtual system and a host system; a license file acquiring unit configured to acquire a license file for acquiring encrypted multimedia data in a case that an application in the virtual system requesting access to the host system passes authentication of the host system; an encrypted data acquiring unit configured to acquire the encrypted multimedia data based on the license file; a data decrypting unit configured to send the encrypted multimedia data to the host system for decryption based on the secure communication channel; and a multimedia playing back unit configured to acquire decrypted multimedia data obtained by decryption by the host system, and playback the decrypted multimedia data.
  • the license file acquiring unit may be configured to determine, by the host system, whether the application is authorized for access by the host system in response to the application requesting access to the host system, in a case of determining that the application is authorized for the access by the host system, to acquire a certificate for authenticating the application by the host system, and to acquire the license file, in the case that the host system is determined to be authenticated based on the certificate.
  • the license file acquiring unit may be configured to download the certificate from an authentication server for authentication by invoking the second digital rights management service of the host system by the first digital rights management service of the virtual system, wherein the downloaded certificate is stored in the host system.
  • the multimedia playing back unit may be configured to determine whether to decrypt the encrypted multimedia data in a trusted execution environment, according to requirements of a usage scenario of the application, and to send the encrypted multimedia data to the host system for decrypting the encrypted multimedia data in the trusted execution environment of the host system, when it is determined to decrypt the encrypted multimedia data in the trusted execution environment.
  • the device may further include a sending unit, configured to send a handle key and/or a data pointer address for decrypting the multimedia data to the host system based on the secure communication channel, wherein the handle key and/or the data pointer address for decrypting the multimedia data is in an encrypted state.
  • a sending unit configured to send a handle key and/or a data pointer address for decrypting the multimedia data to the host system based on the secure communication channel, wherein the handle key and/or the data pointer address for decrypting the multimedia data is in an encrypted state.
  • the multimedia playing back unit may be configured to process an original value and a key of the data pointer address of the encrypted multimedia data by an encryption algorithm to obtain a cipher text, to insert a first verification code at a predetermined position of the cipher text to obtain a processed cipher text, and to send the processed cipher text to the host system.
  • the host system when decrypting the encrypted multimedia data in the trusted execution environment of the host system, decrypts the data pointer address of the encrypted multimedia data by the decryption algorithm to obtain a second verification code, matches the second verification code with the first verification code, and obtains the data pointer address of the encrypted multimedia data in a case of a successful match between the second verification code and the first verification code.
  • an operation device performed by a host system includes: a channel establishing unit configured to establish a secure communication channel between the host system and a virtual system; an authenticating unit configured to, in response to receiving an access request from an application in the virtual system, authenticate the application; an encrypted data receiving unit configured to receive the encrypted multimedia data based on the secure communication channel in a case that the application is authenticated; a data decrypting unit configured to decrypt the encrypted multimedia data.
  • the authenticating unit may be configured to determine whether the application is authorized to make an access, to acquire a certificate for authenticating the application in a case of determining that the application is authorized to make an access, wherein the virtual system acquires a license file for acquiring the encrypted multimedia data based on the certificate, acquires the encrypted multimedia data based on the license file, and sends the encrypted multimedia data to the host system.
  • the data decrypting unit may be configured to decrypt a data pointer address of the encrypted multimedia data by a decryption algorithm to obtain a second verification code, to match the second verification code with a first verification code, to acquire the data pointer address of the encrypted multimedia data in a case of successful matching of the second verification code with the first verification code.
  • the device may further include a receiving unit, configured to receive a handle key and/or a data pointer address for decrypting the multimedia data based on the secure communication channel, wherein the handle key and/or the data pointer address for decrypting the multimedia data is in an encrypted state.
  • a receiving unit configured to receive a handle key and/or a data pointer address for decrypting the multimedia data based on the secure communication channel, wherein the handle key and/or the data pointer address for decrypting the multimedia data is in an encrypted state.
  • a computer program product wherein instructions in the computer program product can be executed by a processor of the computer device to complete a method according to the exemplary embodiments of the present disclosure.
  • the method and the device of multimedia playback for a virtual system by establishing a secure communication channel between the virtual system and a host system, acquiring a license file for acquiring encrypted multimedia data in a case that an application in the virtual system requesting access to the host system passes authentication of the host system, acquiring the encrypted multimedia data based on the license file; sending the encrypted multimedia data to the host system for decryption based on the secure communication channel, and acquiring decrypted multimedia data obtained by decryption by the host system, and playing back the decrypted multimedia data, thus it is possible to playback digital rights management resources with a higher level of security for copyright requirements in the virtual system by decrypting with the help of the host system, which improves the strength of data protection.
  • the operation method and the operation device performed by a host system according to the exemplary embodiments of the present disclosure, by establishing a secure communication channel between the host system and a virtual system, authenticating the application in response to receiving an access request from an application in the virtual system, receiving the encrypted multimedia data based on the secure communication channel in a case that the application is authenticated, decrypting the encrypted multimedia data, it enables the playback of digital rights management resources with higher levels of security for copyright requirements in a virtual system, thereby increasing the strength of data protection.
  • FIG. 1 illustrates a flow chart of the method of multimedia playback for a virtual system according to an exemplary embodiment of the present disclosure
  • FIG. 2 illustrates a schematic diagram of the method multimedia playback for a virtual system according to an exemplary embodiment of the present disclosure
  • FIG. 3 illustrates a schematic diagram of enhancing inter-system data transfer protection based on trusted data channels according to an exemplary embodiment of the present disclosure
  • FIG. 4 illustrates a schematic diagram of data pointer address encryption according to an exemplary embodiment of the present disclosure
  • FIG. 5 illustrates a schematic diagram of data pointer address decryption according to an exemplary embodiment of the present disclosure
  • FIG. 6 illustrates a schematic diagram of dynamically managing an application program of a virtual system using digital rights management of a host system, according to an exemplary embodiment of the present disclosure
  • FIG. 7 illustrates a schematic diagram of performing authentication using digital rights management of a host system, according to an exemplary embodiment of the present disclosure
  • FIG. 8 illustrates a flowchart of an operation method performed by a host system according to an exemplary embodiment of the present disclosure
  • FIG. 9 illustrates a block diagram of a device of multimedia playback for a virtual system according to an exemplary embodiment of the present disclosure
  • FIG. 10 illustrates a block diagram of a device of multimedia playback for a host system according to an exemplary embodiment of the present disclosure.
  • FIG. 11 illustrates a schematic diagram of a computing device according to an exemplary embodiment of the present disclosure.
  • the virtual system has many applications, and malicious applications frequently access to invoke the host system's digital rights management (DRM), which will take up too many resources; 2) while the host system has been authenticated by the DRM copyright holder's server, the virtual system needs to reapply for the authentication, which may not be authorized by the DRM copyright holder due to the lack of a trustworthy hardware environment; 3) when playing back DCM videos in the virtual system, because the virtual system cannot simulate the Trusted Execution Environment (TEE), it can only decrypt the DCM using software of a lower level, which cannot satisfy the requirements of high copyrights; 4) there is no complete solution to support the playback of multi-security levels, such as all the processes of the video are carried out in the Trusted Execution Environment (TEE) of the host system, and the decryption operation of the audio is done in the internal decryption of the virtual system; 5) although secure communication is established between the host system and the virtual system, there may be malicious programs that intercept or tamper with
  • FIG. 1 illustrates a flow chart of the method of multimedia playback for a virtual system according to an exemplary embodiment of the present disclosure.
  • step S101 a secure communication channel is established between the virtual system and a host system.
  • the virtual system supports the playback of digital rights-managed multimedia contents with a high-security level.
  • step S102 a license file for acquiring encrypted multimedia data is acquired in a case that an application in the virtual system requesting access to the host system passes authentication of the host system.
  • the acquiring of the license file for acquiring the encrypted multimedia data in the case that the application in the virtual system requesting access to the host system passes the authentication of the host system may include: in response to the application requesting access to the host system, determining, by the host system, whether the application is authorized for access by the host system; in a case of determining that the application is authorized for the access by the host system, acquiring a certificate for authenticating the application by the host system; acquiring the license file, in the case that the host system is determined to be authenticated based on the certificate.
  • the host system needs to manage the authentication for access of the applications of the virtual system, authorize applications that have been registered in the host system to make an access, and the whitelist data of the applications is stored in the trusted execution environment to prevent from being modified.
  • the acquiring of the certificate may include: invoking a second digital rights management service (for example, DRM2) of the host system by a first digital rights management service (for example, DRM1) of the virtual system to acquire the certificate.
  • DRM2 digital rights management service
  • DRM1 digital rights management service
  • the performing authentication management on the application by the host system may include: in the case that the application is determined to be a predetermined application, determining that the application is authorized to make an access by the host system. For example, the accessing of the applications in the virtual system to the host system's DRM is managed, and an application is denied to access to and use the DRM if it is not on the host system's DRM whitelist, which improves the host system's security and protects the limited resources of the DRM from being utilized.
  • the invoking of the second digital rights management service of the host system by the first digital rights management service of the virtual system to acquire the certificate may include: downloading the certificate from an authentication server for authentication by invoking the second digital rights management service of the host system by the first digital rights management service of the virtual system.
  • the downloaded certificate is stored in the host system.
  • the first digital rights management service of the virtual system invokes the second digital rights management service of the host system for authentication, and the second digital rights management service downloads a certificate from the authentication server, and the downloaded certificate is stored in the host system.
  • the acquiring of the license file may include: invoking the second digital rights management service by the first digital rights management service to generate a license request message, and sending the license request message to a license server to obtain the license file.
  • the first digital rights management service invokes the second digital rights management service to generate a request message for a license file and sends the message to a license server to obtain the license file, and then processes the license file for the application security level requirements.
  • step S103 the encrypted multimedia data is acquired based on the license file.
  • the application downloads encrypted audio and video data from a media content server.
  • the sending of the encrypted multimedia data to the host system for decryption based on the secure communication channel may include: sending the encrypted multimedia data to the host system by means of data pointer address encryption in the secure communication channel.
  • the sending of the encrypted multimedia data to the host system for decryption based on the secure communication channel may include: determining whether to decrypt the encrypted multimedia data in a trusted execution environment, according to requirements of a usage scenario of the application; sending the encrypted multimedia data to the host system for decrypting the encrypted multimedia data in the trusted execution environment of the host system, when it is determined to decrypt the encrypted multimedia data in the trusted execution environment, thereby decrypting the encrypted multimedia data in the trusted execution environment of the host system.
  • the multimedia data is put into a shared memory, and an address pointer is transmitted by a trusted channel, after being encrypted, to the host system for decryption.
  • the sending of the encrypted multimedia data to the host system by means of the data pointer address encryption may include: processing an original value and a key of the data pointer address of the encrypted multimedia data by an encryption algorithm to obtain a cipher text; inserting a first verification code at a predetermined position of the cipher text to obtain a processed cipher text; sending the processed cipher text to the host system.
  • the host system when decrypting the encrypted multimedia data in the trusted execution environment of the host system, decrypts the data pointer address of the encrypted multimedia data by the decryption algorithm to obtain a second verification code; matches the second verification code with the first verification code; and obtains the data pointer address of the encrypted multimedia data in a case of a successful match between the second verification code and the first verification code.
  • step S105 decrypted multimedia data obtained by decryption by the host system is acquired, and the decrypted multimedia data is played back.
  • FIG. 2 illustrates a schematic diagram of the method multimedia playback for a virtual system according to an exemplary embodiment of the present disclosure.
  • a secure communication channel is established between the host system and the virtual system.
  • the handle key and data pointer address of each module of the virtual system are encrypted, and the host system obtains the correct handle key and data pointer address by decryption, thereby further improving the security of inter-system data transmission protection.
  • the first digital rights management service DRM1 of the virtual system invokes the second digital rights management service DRM2 of the host system for authentication, and the second digital rights management service DRM2 downloads a certificate from a verification server, and the certificate is to be stored in the host system.
  • the first digital rights management service DRM1 invokes the second digital rights management service DRM2 to generate a license file (license) request message and sends the message to the license file server to obtain the license file (license), and then processes the license file (license) according to the application security level requirements.
  • the application downloads encrypted audio and video data from a media content server, determines whether to put the data into a trusted execution environment for decryption according to requirements of the application's usage scenario, and supports decryption of the same media file by using DRMs of digital rights management services with different security level requirements.
  • step 6 the multimedia data is put into a shared memory, and an address pointer is transmitted through a trusted channel, after being encrypted, to the host system for decryption.
  • FIG. 3 illustrates a schematic diagram of enhancing inter-system data transfer protection based on trusted data channels according to an exemplary embodiment of the present disclosure.
  • the virtual digital rights management service DRM in phase 1, the virtual digital rights management service DRM generates a unique handle key (for encrypting or decrypting a data pointer address), then encrypts the key using a public certificate, sends the encryption key to the host digital rights management service DRM using a secure channel, and decrypts the handle key using a private key of a trusted execution environment.
  • a unique handle key for encrypting or decrypting a data pointer address
  • the virtual digital rights management service DRM invokes the encryption module to encrypt the data pointer address with the key, and then sends the encrypted data pointer address to the host system's digital rights management service DRM.
  • the host digital rights management service DRM invokes the decryption module to decrypt the encrypted data pointer using the handle key to obtain a correct pointer address.
  • FIG. 4 illustrates a schematic diagram of data pointer address encryption according to an exemplary embodiment of the present disclosure.
  • the Context is a context of, for example, 64 bits (which may be generated by a key), the original value of the pointer and, for example, a 128-bit key are encrypted by an encryption algorithm to obtain a 64-bit cipher text, a verification code is inserted as a high bit of the pointer after truncation, and the value of the pointer is validated prior to the pointer being used.
  • FIG. 5 illustrates a schematic diagram of data pointer address decryption according to an exemplary embodiment of the present disclosure.
  • an incoming encrypted pointer is decrypted by a decryption algorithm to obtain a verification code, which is then compared with a verification code inserted in the pointer. If the verification codes are matched, a valid pointer can be obtained, and if they are not equal, the pointer is an invalid pointer.
  • FIG. 6 illustrates a schematic diagram of dynamically managing an application program of a virtual system using digital rights management of a host system, according to an exemplary embodiment of the present disclosure.
  • an application program ID is generated by performing hash processing on unique information identifying the identity of the application program, the application program ID is encrypted with a public certificate, and the encrypted application program ID is sent to the application management module of the host system.
  • the application program management module decrypts the application program ID with a private certificate to obtain the application program ID.
  • step 603 a list of application program IDs is queried.
  • step 604 if the application program ID is invalid, the application will be denied to access to the host system's digital rights management service DRM; if the application program ID is valid, the host system's digital rights management service DRM can be used.
  • FIG. 7 illustrates a schematic diagram of performing authentication using digital rights management of a host system, according to an exemplary embodiment of the present disclosure.
  • the virtual system cannot be authenticated without a legitimate token and needs to be authenticated using the host system's digital rights management service DRM.
  • the application program invokes the virtual digital rights management service DRM to initialize its host system's digital rights management service DRM.
  • the virtual system sends a request for the host system digital rights management service DRM to authenticate.
  • the host system's digital rights management service DRM obtains a legitimate token.
  • the host system's digital rights management service DRM generates an authentication request message with the token and sends the authentication request to the server.
  • the host system obtains the authentication certificate and stores it in the trusted execution environment.
  • FIG. 8 illustrates a flowchart of an operation method performed by a host system according to an exemplary embodiment of the present disclosure.
  • step S801 a secure communication channel is established between the host system and a virtual system.
  • step S802 in response to receiving an access request from an application in the virtual system, the application is authenticated.
  • the authenticating of the application may include: determining whether the application is authorized to make an access; in a case of determining that the application is authorized to make an access, acquiring a certificate for authenticating the application, wherein the virtual system acquires a license file for acquiring the encrypted multimedia data based on the certificate, acquires the encrypted multimedia data based on the license file, and sends the encrypted multimedia data to the host system.
  • step S803 in a case that the application is authenticated, the encrypted multimedia data is received based on the secure communication channel.
  • the method may further include: receiving a handle key and/or a data pointer address for decrypting the multimedia data based on the secure communication channel, wherein the handle key and/or the data pointer address for decrypting the multimedia data is in an encrypted state.
  • step S804 the encrypted multimedia data is decrypted.
  • the decrypting of the encrypted multimedia data may include: decrypting the encrypted multimedia data in a trusted execution environment.
  • the decrypting of the encrypted multimedia data in a trusted execution environment may include: decrypting a data pointer address of the encrypted multimedia data by a decryption algorithm to obtain a second verification code; matching the second verification code with a first verification code; acquiring the data pointer address of the encrypted multimedia data in a case of successful matching of the second verification code with the first verification code.
  • FIG. 9 The method of multimedia playback for a virtual system, the operation method performed by a host system according to the exemplary embodiments of the present disclosure has been described above in conjunction with FIGS. 1-8.
  • the device of multimedia playback for a virtual system and the unit thereof, the operation device performed by a host system according to the exemplary embodiments of the present disclosure will be described with reference to FIG. 9.
  • FIG. 9 illustrates a block diagram of a device of multimedia playback for a virtual system according to an exemplary embodiment of the present disclosure.
  • the device of multimedia playback for the virtual system includes a channel establishing unit 91, a license file acquiring unit 92, an encrypted data acquiring unit 93, a data decrypting unit 94, and a multimedia playing back unit 95.
  • the channel establishing unit 91 is configured to establish a secure communication channel between the virtual system and a host system.
  • the license file acquiring unit 92 is configured to acquire a license file for acquiring encrypted multimedia data in a case that an application in the virtual system requesting access to the host system passes authentication of the host system.
  • the license file acquiring unit 92 may be configured to determine, by the host system, whether the application is authorized for access by the host system in response to the application requesting access to the host system, in a case of determining that the application is authorized for the access by the host system, to acquire a certificate for authenticating the application by the host system, and to acquire the license file, in the case that the host system is determined to be authenticated based on the certificate.
  • the license file acquiring unit 92 may be configured to invoke a second digital rights management service of the host system by a first digital rights management service of the virtual system to acquire the certificate.
  • the license file acquiring unit 92 may be configured to determine that the application is authorized for access by the host system, in the event that the application is determined to be a predetermined application.
  • the license file acquiring unit 92 may be configured to download the certificate from an authentication server for authentication by invoking the second digital rights management service of the host system by the first digital rights management service of the virtual system.
  • the downloaded certificate is stored in the host system.
  • the license file acquiring unit 92 may be configured to invoke the second digital rights management service by the first digital rights management service to generate a license request message, and to send the license request message to a license server to obtain the license file.
  • the encrypted data acquiring unit 93 is configured to acquire the encrypted multimedia data based on the license file.
  • the data decrypting unit 94 is configured to send the encrypted multimedia data to the host system for decryption based on the secure communication channel.
  • the data decrypting unit 94 may be configured to send the encrypted multimedia data to the host system by means of data pointer address encryption in the secure communication channel.
  • the device may further include a sending unit (not shown), configured to send a handle key and/or a data pointer address for decrypting the multimedia data to the host system based on the secure communication channel, wherein the handle key and/or the data pointer address for decrypting the multimedia data is in an encrypted state.
  • a sending unit (not shown), configured to send a handle key and/or a data pointer address for decrypting the multimedia data to the host system based on the secure communication channel, wherein the handle key and/or the data pointer address for decrypting the multimedia data is in an encrypted state.
  • the multimedia playing back unit 95 is configured to acquire decrypted multimedia data obtained by decryption by the host system, and playback the decrypted multimedia data.
  • the multimedia playing back unit 95 may be configured to determine whether to decrypt the encrypted multimedia data in a trusted execution environment, according to requirements of a usage scenario of the application, and to send the encrypted multimedia data to the host system for decrypting the encrypted multimedia data in the trusted execution environment of the host system, when it is determined to decrypt the encrypted multimedia data in the trusted execution environment.
  • the multimedia playing back unit 95 may be configured to process an original value and a key of the data pointer address of the encrypted multimedia data by an encryption algorithm to obtain a cipher text, to insert a first verification code at a predetermined position of the cipher text to obtain a processed cipher text, and to send the processed cipher text to the host system.
  • the host system when decrypting the encrypted multimedia data in the trusted execution environment of the host system, decrypts the data pointer address of the encrypted multimedia data by the decryption algorithm to obtain a second verification code, matches the second verification code with the first verification code, and obtains the data pointer address of the encrypted multimedia data in a case of a successful match between the second verification code and the first verification code.
  • FIG. 10 illustrates a block diagram of an operation device performed by a host system according to an exemplary embodiment of the present disclosure.
  • the operation device performed by the host system includes a channel establishing unit 101, an authenticating unit 102, an encrypted data receiving unit 103, and a data decrypting unit 104.
  • the channel establishing unit 101 is configured to establish a secure communication channel between the host system and a virtual system.
  • the authenticating unit 102 is configured to, in response to receiving an access request from an application in the virtual system, authenticate the application.
  • the authenticating unit 102 may be configured to determine whether the application is authorized to make an access, to acquire a certificate for authenticating the application in a case of determining that the application is authorized to make an access, wherein the virtual system acquires a license file for acquiring the encrypted multimedia data based on the certificate, acquires the encrypted multimedia data based on the license file, and sends the encrypted multimedia data to the host system.
  • the encrypted data receiving unit 103 is configured to receive the encrypted multimedia data based on the secure communication channel in a case that the application is authenticated.
  • the device may further include a receiving unit (not shown), configured to receive a handle key and/or a data pointer address for decrypting the multimedia data based on the secure communication channel, wherein the handle key and/or the data pointer address for decrypting the multimedia data is in an encrypted state.
  • a receiving unit (not shown), configured to receive a handle key and/or a data pointer address for decrypting the multimedia data based on the secure communication channel, wherein the handle key and/or the data pointer address for decrypting the multimedia data is in an encrypted state.
  • the data decrypting unit 104 is configured to decrypt the encrypted multimedia data.
  • the data decrypting unit 104 may be configured to decrypt the encrypted multimedia data in a trusted execution environment.
  • the data decrypting unit 104 may be configured to decrypt a data pointer address of the encrypted multimedia data by a decryption algorithm to obtain a second verification code, to match the second verification code with a first verification code, to acquire the data pointer address of the encrypted multimedia data in a case of successful matching of the second verification code with the first verification code.
  • a computer-readable storage medium having a computer program stored thereon, and when the computer program is executed, a method of multimedia playback for a virtual system according to the exemplary embodiments of the present disclosure is implemented.
  • the computer-readable storage medium may carry one or more programs that, when executed, may implement the following steps: establishing a secure communication channel between the virtual system and a host system; acquiring a license file for acquiring encrypted multimedia data in a case that an application in the virtual system requesting access to the host system passes authentication of the host system; acquiring the encrypted multimedia data based on the license file; sending the encrypted multimedia data to the host system for decryption based on the secure communication channel; and acquiring decrypted multimedia data obtained by decryption by the host system, and playing back the decrypted multimedia data, thus it is possible to playback digital rights management resources with a higher level of security for copyright requirements in the virtual system by decrypting with the help of the host system, which improves the strength of data protection.
  • the computer-readable storage medium may carry one or more programs that, when executed, may implement the following steps: establishing a secure communication channel between the host system and a virtual system; in response to receiving an access request from an application in the virtual system, authenticating the application; receiving the encrypted multimedia data based on the secure communication channel in a case that the application is authenticated; decrypting the encrypted multimedia data.
  • the computer-readable storage medium can be, for example, but not limited to, an electrical, magnetic, optical, electromagnetic, infrared, or semiconductor system, apparatus or device, or any combination of the above. More specific examples of computer-readable storage medium may include, but are not limited to: electrical connections with one or more wires, portable computer disks, hard disks, random access memory (RAM), read only memory (ROM), erasable programmable read only memory (EPROM or flash memory), optical fiber, portable compact disk read only memory (CD-ROM), optical storage devices, magnetic storage devices, or any suitable combination of the above.
  • a computer-readable storage medium may be any tangible medium that contains or stores a computer program that can be used by or in conjunction with an instruction execution system, apparatus, or device.
  • the computer program contained on the computer-readable storage medium may be transmitted using any appropriate medium, including but not limited to: wire, fiber optic cable, RF (radio frequency), etc., or any suitable combination of the above.
  • the computer-readable storage medium may be included in any device; it may also exist alone without being incorporated into the device.
  • the device of multimedia playback for a virtual system, and the operation device performed by a host system according to the exemplary embodiments of the present disclosure have been described above in conjunction with FIGs. 9 and 10.
  • a computing device according to the exemplary embodiment of the present disclosure will be described in conjunction with to FIG. 11.
  • FIG. 11 illustrates a schematic diagram of a computing device according to an exemplary embodiment of the present disclosure.
  • a computing device 11 includes a memory 111 and a processor 112, and the memory 111 stores a computer program.
  • the computer program is executed by the processor 112, a method of multimedia playback for a virtual system according to the exemplary embodiments of the present disclosure is implemented.
  • the following steps may be implemented: establishing a secure communication channel between the virtual system and a host system; acquiring a license file for acquiring encrypted multimedia data in a case that an application in the virtual system requesting access to the host system passes authentication of the host system; acquiring the encrypted multimedia data based on the license file; sending the encrypted multimedia data to the host system for decryption based on the secure communication channel; and acquiring decrypted multimedia data obtained by decryption by the host system, and playing back the decrypted multimedia data, thus it is possible to playback digital rights management resources with a higher level of security for copyright requirements in the virtual system by decrypting with the help of the host system, which improves the strength of data protection.
  • the following steps may be implemented: establishing a secure communication channel between the host system and a virtual system; in response to receiving an access request from an application in the virtual system, authenticating the application; receiving the encrypted multimedia data based on the secure communication channel in a case that the application is authenticated; decrypting the encrypted multimedia data.
  • the computing device in embodiments of the present disclosure may include, but are not limited to, devices such as mobile phones, notebook computers, PDAs (personal digital assistants), PADs (tablet computers), desktop computers, and the like.
  • the computing device shown in FIG. 11 is only an example, and should not impose any limitation on the function and scope of use of the embodiments of the present disclosure.
  • the method and device of multimedia playback for a virtual system, and the operation method and device performed by a host system according to the exemplary embodiments of the present disclosure have been described above with reference to FIGs. 1-11.
  • the method of multimedia playback for a virtual system and the unit thereof and the operation method performed by a host system shown in FIGs. 9 and 10 may be respectively configured as software, hardware, firmware or any combination of the above to perform specific functions
  • the computing device shown in FIG. 11 is not limited to including the above shown components, but some components may be added or deleted according to needs, and the above components may also be combined.
  • the method and the device of multimedia playback for a virtual system by establishing a secure communication channel between the virtual system and a host system, acquiring a license file for acquiring encrypted multimedia data in a case that an application in the virtual system requesting access to the host system passes authentication of the host system, acquiring the encrypted multimedia data based on the license file; sending the encrypted multimedia data to the host system for decryption based on the secure communication channel, and acquiring decrypted multimedia data obtained by decryption by the host system, and playing back the decrypted multimedia data, thus it is possible to playback digital rights management resources with a higher level of security for copyright requirements in the virtual system by decrypting with the help of the host system, which improves the strength of data protection.
  • the method and the device of multimedia playback for a virtual system improves the strength of data protection without affecting performance by using an inter-module or inter-system encryption protection scheme.
  • the method and the device of multimedia playback for a virtual system can support the playback of multimedia content with multiple security levels, which improves the overall decryption performance of the multimedia, and can increase audio processing scenarios.
  • the method and the device of multimedia playback for a virtual system may further dynamically manage applications of the virtual system to prevent malicious applications from occupying limited digital rights management resources; reuse the host system digital rights management authentication to make the digital rights management of the virtual system usable; and, because the trusted execution environment is based on the hardware environment of the host system, there is no need to separately develop and assign the virtual system with a trusted execution environment.
  • the method and the device of multimedia playback for a virtual system may support all scenarios in which the virtual system requires a trusted execution environment, such as, but not limited to, a digital wallet, a fingerprint payment, an authentication, and the like.
  • the method and the device of multimedia playback for a virtual system may be used not only in virtual machines based on containerization technology, but also in virtual machines based on other technologies.
  • the method and the device of multimedia playback for a virtual system are not only limited to be used in digital rights management media resources with high copyright requirements, but may also be applied in virtual machines that require trusted execution environments to support high-level security scenarios, such as digital wallets, payment authentication, identity verification, and the like.
  • the operation method performed by a host system by establishing a secure communication channel between the host system and a virtual system, authenticating the application in response to receiving an access request from an application in the virtual system, receiving the encrypted multimedia data based on the secure communication channel in a case that the application is authenticated, decrypting the encrypted multimedia data, it enables the playback of digital rights management resources with higher levels of security for copyright requirements in a virtual system, thereby increasing the strength of data protection.

Landscapes

  • Engineering & Computer Science (AREA)
  • Computer Security & Cryptography (AREA)
  • Signal Processing (AREA)
  • Computer Networks & Wireless Communication (AREA)
  • Computer Hardware Design (AREA)
  • Multimedia (AREA)
  • General Engineering & Computer Science (AREA)
  • Theoretical Computer Science (AREA)
  • Software Systems (AREA)
  • Computing Systems (AREA)
  • Databases & Information Systems (AREA)
  • Physics & Mathematics (AREA)
  • General Physics & Mathematics (AREA)
  • Technology Law (AREA)
  • Storage Device Security (AREA)

Abstract

A method and a device of multimedia playback for a virtual system are provided, the method of multimedia playback for a virtual system includes: establishing a secure communication channel between the virtual system and a host system; acquiring a license file for acquiring encrypted multimedia data in a case that an application in the virtual system requesting access to the host system passes authentication of the host system; acquiring the encrypted multimedia data based on the license file; sending the encrypted multimedia data to the host system for decryption based on the secure communication channel; and acquiring decrypted multimedia data obtained by decryption by the host system, and playing back the decrypted multimedia data, thus it is possible to playback digital rights management resources with a higher level of security for copyright requirements in the virtual system by decrypting with the help of the host system, which improves the strength of data protection.

Description

METHOD AND DEVICE OF MULTIMEDIA PLAYBACK FOR VIRTUAL SYSTEM
The present disclosure relates to a computer technology field. More particularly, the present disclosure relates to a method and a device of multimedia playback for a virtual system, and an operation method and a device performed by a host system.
In recent years, virtualization technology has gradually become the focus of people's attention and is receiving more and more attention and importance. Virtualization technology is able to run another operating system and its application scope in one operating system, which can greatly expand the application scenarios of current operating systems.
As people pay more attention to copyright, digital rights management (DRM) is more and more widely used. When playing back back various media files, the media files can be protected by encryption through digital rights management. However, virtual systems cannot simulate a trusted execution environment and can only decrypt digital rights management resources using software with a relatively low level of security, which cannot meet the requirements of high copyright. Therefore, there is a need for multimedia playback solutions that can support higher security level scenarios to increase the strength of data protection, thereby meeting the requirements of high copyright multimedia streaming.
Exemplary embodiments of the present disclosure are to provide a method and a device of multimedia playback for a virtual system, and an operation method and device performed by a host system, so as to increase the strength of data protection, thereby meeting the requirements of high copyright multimedia streaming.
According to the exemplary embodiments of the present disclosure, there provides a method of multimedia playback for a virtual system, the method and device of multimedia playback for a virtual system includes: establishing a secure communication channel between the virtual system and a host system; acquiring a license file for acquiring encrypted multimedia data in a case that an application in the virtual system requesting access to the host system passes authentication of the host system; acquiring the encrypted multimedia data based on the license file; sending the encrypted multimedia data to the host system for decryption based on the secure communication channel; and acquiring decrypted multimedia data obtained by decryption by the host system, and playing back the decrypted multimedia data.
Alternatively, the acquiring of the license file for acquiring the encrypted multimedia data in the case that the application in the virtual system requesting access to the host system passes the authentication of the host system may include: in response to the application requesting access to the host system, determining, by the host system, whether the application is authorized for access by the host system; in a case of determining that the application is authorized for the access by the host system, acquiring a certificate for authenticating the application by the host system; acquiring the license file, in the case that the host system is determined to be authenticated based on the certificate.
Alternatively, the acquiring of the certificate may include: invoking a second digital rights management service of the host system by a first digital rights management service of the virtual system to acquire the certificate.
Alternatively, the sending of the encrypted multimedia data to the host system for decryption based on the secure communication channel may include: sending the encrypted multimedia data to the host system by means of data pointer address encryption in the secure communication channel.
Alternatively, the invoking of the second digital rights management service of the host system by the first digital rights management service of the virtual system to acquire the certificate may include: downloading the certificate from an authentication server for authentication by invoking the second digital rights management service of the host system by the first digital rights management service of the virtual system, wherein the downloaded certificate is stored in the host system.
Alternatively, the acquiring of the license file may include: invoking the second digital rights management service by the first digital rights management service to generate a license request message, and sending the license request message to a license server to obtain the license file.
Alternatively, the sending of the encrypted multimedia data to the host system for decryption based on the secure communication channel may include: determining whether to decrypt the encrypted multimedia data in a trusted execution environment, according to requirements of a usage scenario of the application; sending the encrypted multimedia data to the host system for decrypting the encrypted multimedia data in the trusted execution environment of the host system, when it is determined to decrypt the encrypted multimedia data in the trusted execution environment.
Alternatively, the method may further include: sending a handle key and/or a data pointer address for decrypting the multimedia data to the host system based on the secure communication channel, wherein the handle key and/or the data pointer address for decrypting the multimedia data is in an encrypted state.
Alternatively, the sending of the encrypted multimedia data to the host system by means of the data pointer address encryption may include: processing an original value and a key of the data pointer address of the encrypted multimedia data by an encryption algorithm to obtain a cipher text; inserting a first verification code at a predetermined position of the cipher text to obtain a processed cipher text; sending the processed cipher text to the host system, wherein, when decrypting the encrypted multimedia data in the trusted execution environment of the host system, the host system decrypts the data pointer address of the encrypted multimedia data by the decryption algorithm to obtain a second verification code; matches the second verification code with the first verification code; and obtains the data pointer address of the encrypted multimedia data in a case of a successful match between the second verification code and the first verification code.
According to the exemplary embodiments of the present disclosure, there provides an operation method performed by a host system, the operation method performed by a host system includes: establishing a secure communication channel between the host system and a virtual system; in response to receiving an access request from an application in the virtual system, authenticating the application; receiving the encrypted multimedia data based on the secure communication channel in a case that the application is authenticated; decrypting the encrypted multimedia data.
Alternatively, the authenticating of the application may include: determining whether the application is authorized to make an access; in a case of determining that the application is authorized to make an access, acquiring a certificate for authenticating the application, wherein the virtual system acquires a license file for acquiring the encrypted multimedia data based on the certificate, acquires the encrypted multimedia data based on the license file, and sends the encrypted multimedia data to the host system.
Alternatively, the decrypting of the encrypted multimedia data may include: decrypting the encrypted multimedia data in a trusted execution environment.
Alternatively, the decrypting of the encrypted multimedia data in a trusted execution environment may include: decrypting a data pointer address of the encrypted multimedia data by a decryption algorithm to obtain a second verification code; matching the second verification code with a first verification code; acquiring the data pointer address of the encrypted multimedia data in a case of successful matching of the second verification code with the first verification code.
Alternatively, the method may further include: receiving a handle key and/or a data pointer address for decrypting the multimedia data based on the secure communication channel, wherein the handle key and/or the data pointer address for decrypting the multimedia data is in an encrypted state.
According to the exemplary embodiments of the present disclosure, there provides a device of multimedia playback for a virtual system, the device of multimedia playback for a virtual system includes: a channel establishing unit configured to establish a secure communication channel between the virtual system and a host system; a license file acquiring unit configured to acquire a license file for acquiring encrypted multimedia data in a case that an application in the virtual system requesting access to the host system passes authentication of the host system; an encrypted data acquiring unit configured to acquire the encrypted multimedia data based on the license file; a data decrypting unit configured to send the encrypted multimedia data to the host system for decryption based on the secure communication channel; and a multimedia playing back unit configured to acquire decrypted multimedia data obtained by decryption by the host system, and playback the decrypted multimedia data.
Alternatively, the license file acquiring unit may be configured to determine, by the host system, whether the application is authorized for access by the host system in response to the application requesting access to the host system, in a case of determining that the application is authorized for the access by the host system, to acquire a certificate for authenticating the application by the host system, and to acquire the license file, in the case that the host system is determined to be authenticated based on the certificate.
Alternatively, the license file acquiring unit may be configured to invoke a second digital rights management service of the host system by a first digital rights management service of the virtual system to acquire the certificate.
Alternatively, the data decrypting unit may be configured to send the encrypted multimedia data to the host system by means of data pointer address encryption in the secure communication channel.
Alternatively, the license file acquiring unit may be configured to download the certificate from an authentication server for authentication by invoking the second digital rights management service of the host system by the first digital rights management service of the virtual system, wherein the downloaded certificate is stored in the host system.
Alternatively, the license file acquiring unit may be configured to invoke the second digital rights management service by the first digital rights management service to generate a license request message, and to send the license request message to a license server to obtain the license file.
Alternatively, the multimedia playing back unit may be configured to determine whether to decrypt the encrypted multimedia data in a trusted execution environment, according to requirements of a usage scenario of the application, and to send the encrypted multimedia data to the host system for decrypting the encrypted multimedia data in the trusted execution environment of the host system, when it is determined to decrypt the encrypted multimedia data in the trusted execution environment.
Alternatively, the device may further include a sending unit, configured to send a handle key and/or a data pointer address for decrypting the multimedia data to the host system based on the secure communication channel, wherein the handle key and/or the data pointer address for decrypting the multimedia data is in an encrypted state.
Alternatively, the multimedia playing back unit may be configured to process an original value and a key of the data pointer address of the encrypted multimedia data by an encryption algorithm to obtain a cipher text, to insert a first verification code at a predetermined position of the cipher text to obtain a processed cipher text, and to send the processed cipher text to the host system. Wherein, when decrypting the encrypted multimedia data in the trusted execution environment of the host system, the host system decrypts the data pointer address of the encrypted multimedia data by the decryption algorithm to obtain a second verification code, matches the second verification code with the first verification code, and obtains the data pointer address of the encrypted multimedia data in a case of a successful match between the second verification code and the first verification code.
According to the exemplary embodiments of the present disclosure, there provides an operation device performed by a host system, the operation device performed by a host system includes: a channel establishing unit configured to establish a secure communication channel between the host system and a virtual system; an authenticating unit configured to, in response to receiving an access request from an application in the virtual system, authenticate the application; an encrypted data receiving unit configured to receive the encrypted multimedia data based on the secure communication channel in a case that the application is authenticated; a data decrypting unit configured to decrypt the encrypted multimedia data.
Alternatively, the authenticating unit may be configured to determine whether the application is authorized to make an access, to acquire a certificate for authenticating the application in a case of determining that the application is authorized to make an access, wherein the virtual system acquires a license file for acquiring the encrypted multimedia data based on the certificate, acquires the encrypted multimedia data based on the license file, and sends the encrypted multimedia data to the host system.
Alternatively, the data decrypting unit may be configured to decrypt the encrypted multimedia data in a trusted execution environment.
Alternatively, the data decrypting unit may be configured to decrypt a data pointer address of the encrypted multimedia data by a decryption algorithm to obtain a second verification code, to match the second verification code with a first verification code, to acquire the data pointer address of the encrypted multimedia data in a case of successful matching of the second verification code with the first verification code.
Alternatively, the device may further include a receiving unit, configured to receive a handle key and/or a data pointer address for decrypting the multimedia data based on the secure communication channel, wherein the handle key and/or the data pointer address for decrypting the multimedia data is in an encrypted state.
According to exemplary embodiments of the present disclosure, there provides a computer-readable storage medium having a computer program stored thereon, and when the computer program is executed by a processor, a method according to the exemplary embodiments of the present disclosure is implemented.
According to the exemplary embodiments of the present disclosure, there provides a computing device including: at least one processor; and at least a memory storing a computer program, wherein when the computer program is executed by the processor, a method according to the exemplary embodiments of the present disclosure is implemented.
According to exemplary embodiments of the present disclosure, there provides a computer program product, wherein instructions in the computer program product can be executed by a processor of the computer device to complete a method according to the exemplary embodiments of the present disclosure.
The method and the device of multimedia playback for a virtual system according to the exemplary embodiments of the present disclosure, by establishing a secure communication channel between the virtual system and a host system, acquiring a license file for acquiring encrypted multimedia data in a case that an application in the virtual system requesting access to the host system passes authentication of the host system, acquiring the encrypted multimedia data based on the license file; sending the encrypted multimedia data to the host system for decryption based on the secure communication channel, and acquiring decrypted multimedia data obtained by decryption by the host system, and playing back the decrypted multimedia data, thus it is possible to playback digital rights management resources with a higher level of security for copyright requirements in the virtual system by decrypting with the help of the host system, which improves the strength of data protection.
The operation method and the operation device performed by a host system according to the exemplary embodiments of the present disclosure, by establishing a secure communication channel between the host system and a virtual system, authenticating the application in response to receiving an access request from an application in the virtual system, receiving the encrypted multimedia data based on the secure communication channel in a case that the application is authenticated, decrypting the encrypted multimedia data, it enables the playback of digital rights management resources with higher levels of security for copyright requirements in a virtual system, thereby increasing the strength of data protection.
Additional aspects and/or advantages of the general concept of the present disclosure will be partially explained in the following description, and still others will be clear from the description, or may be known through the implementation of the general concept of the present disclosure.
The above and other objects and features of the exemplary embodiments of the present disclosure will become clearer through the following description in conjunction with the drawings that exemplarily illustrate embodiments, wherein
FIG. 1 illustrates a flow chart of the method of multimedia playback for a virtual system according to an exemplary embodiment of the present disclosure;
FIG. 2 illustrates a schematic diagram of the method multimedia playback for a virtual system according to an exemplary embodiment of the present disclosure;
FIG. 3 illustrates a schematic diagram of enhancing inter-system data transfer protection based on trusted data channels according to an exemplary embodiment of the present disclosure;
FIG. 4 illustrates a schematic diagram of data pointer address encryption according to an exemplary embodiment of the present disclosure;
FIG. 5 illustrates a schematic diagram of data pointer address decryption according to an exemplary embodiment of the present disclosure;
FIG. 6 illustrates a schematic diagram of dynamically managing an application program of a virtual system using digital rights management of a host system, according to an exemplary embodiment of the present disclosure;
FIG. 7 illustrates a schematic diagram of performing authentication using digital rights management of a host system, according to an exemplary embodiment of the present disclosure;
FIG. 8 illustrates a flowchart of an operation method performed by a host system according to an exemplary embodiment of the present disclosure;
FIG. 9 illustrates a block diagram of a device of multimedia playback for a virtual system according to an exemplary embodiment of the present disclosure;
FIG. 10 illustrates a block diagram of a device of multimedia playback for a host system according to an exemplary embodiment of the present disclosure; and
FIG. 11 illustrates a schematic diagram of a computing device according to an exemplary embodiment of the present disclosure.
Reference will now be made in detail to the exemplary embodiments of the present disclosure, examples of which are illustrated in the drawings, wherein the same reference numerals always refer to the same members. The embodiments are described below in order to explain the present disclosure by referring to the drawings.
In related art, 1) the virtual system has many applications, and malicious applications frequently access to invoke the host system's digital rights management (DRM), which will take up too many resources; 2) while the host system has been authenticated by the DRM copyright holder's server, the virtual system needs to reapply for the authentication, which may not be authorized by the DRM copyright holder due to the lack of a trustworthy hardware environment; 3) when playing back DCM videos in the virtual system, because the virtual system cannot simulate the Trusted Execution Environment (TEE), it can only decrypt the DCM using software of a lower level, which cannot satisfy the requirements of high copyrights; 4) there is no complete solution to support the playback of multi-security levels, such as all the processes of the video are carried out in the Trusted Execution Environment (TEE) of the host system, and the decryption operation of the audio is done in the internal decryption of the virtual system; 5) although secure communication is established between the host system and the virtual system, there may be malicious programs that intercept or tamper with the data (e.g., obtaining the address of pointers in the shared memory), and the multimedia data is vulnerable to corruption.
FIG. 1 illustrates a flow chart of the method of multimedia playback for a virtual system according to an exemplary embodiment of the present disclosure.
Referring to FIG. 1, in step S101, a secure communication channel is established between the virtual system and a host system.
Specifically, the virtual system supports the playback of digital rights-managed multimedia contents with a high-security level.
In step S102, a license file for acquiring encrypted multimedia data is acquired in a case that an application in the virtual system requesting access to the host system passes authentication of the host system.
In the exemplary embodiment of the present disclosure, the acquiring of the license file for acquiring the encrypted multimedia data in the case that the application in the virtual system requesting access to the host system passes the authentication of the host system may include: in response to the application requesting access to the host system, determining, by the host system, whether the application is authorized for access by the host system; in a case of determining that the application is authorized for the access by the host system, acquiring a certificate for authenticating the application by the host system; acquiring the license file, in the case that the host system is determined to be authenticated based on the certificate. Specifically, the host system needs to manage the authentication for access of the applications of the virtual system, authorize applications that have been registered in the host system to make an access, and the whitelist data of the applications is stored in the trusted execution environment to prevent from being modified.
In the exemplary embodiment of the present disclosure, the acquiring of the certificate may include: invoking a second digital rights management service (for example, DRM2) of the host system by a first digital rights management service (for example, DRM1) of the virtual system to acquire the certificate.
It may be determined that an application is authorized for access by the host system by performing authentication management on the application by the host system. In the exemplary embodiment of the present disclosure, the performing authentication management on the application by the host system may include: in the case that the application is determined to be a predetermined application, determining that the application is authorized to make an access by the host system. For example, the accessing of the applications in the virtual system to the host system's DRM is managed, and an application is denied to access to and use the DRM if it is not on the host system's DRM whitelist, which improves the host system's security and protects the limited resources of the DRM from being utilized.
In the exemplary embodiment of the present disclosure, the invoking of the second digital rights management service of the host system by the first digital rights management service of the virtual system to acquire the certificate may include: downloading the certificate from an authentication server for authentication by invoking the second digital rights management service of the host system by the first digital rights management service of the virtual system. In the exemplary embodiment of the present disclosure, the downloaded certificate is stored in the host system. Specifically, the first digital rights management service of the virtual system invokes the second digital rights management service of the host system for authentication, and the second digital rights management service downloads a certificate from the authentication server, and the downloaded certificate is stored in the host system.
In the exemplary embodiment of the present disclosure, the acquiring of the license file may include: invoking the second digital rights management service by the first digital rights management service to generate a license request message, and sending the license request message to a license server to obtain the license file. For example, the first digital rights management service invokes the second digital rights management service to generate a request message for a license file and sends the message to a license server to obtain the license file, and then processes the license file for the application security level requirements.
In step S103, the encrypted multimedia data is acquired based on the license file.
Specifically, the application downloads encrypted audio and video data from a media content server.
In step S104, the encrypted multimedia data is sent to the host system for decryption based on the secure communication channel. For example, according to requirements of a usage scenario of the application, it is determined whether to decrypt data in a trusted execution environment, and decryption of the same media file using digital rights management with different security level requirements is supported.
In the exemplary embodiment of the present disclosure, the method may further include: sending a handle key (for example, handle keys of individual modules) and/or a data pointer address for decrypting the multimedia data to the host system based on the secure communication channel, wherein the handle key and/or the data pointer address for decrypting the multimedia data is in an encrypted state. The host system obtains the correct handle key and data pointer address by decryption, in order to further improve the security of inter-system data transfer protection.
In the exemplary embodiment of the present disclosure, the sending of the encrypted multimedia data to the host system for decryption based on the secure communication channel may include: sending the encrypted multimedia data to the host system by means of data pointer address encryption in the secure communication channel.
In the exemplary embodiment of the present disclosure, the sending of the encrypted multimedia data to the host system for decryption based on the secure communication channel may include: determining whether to decrypt the encrypted multimedia data in a trusted execution environment, according to requirements of a usage scenario of the application; sending the encrypted multimedia data to the host system for decrypting the encrypted multimedia data in the trusted execution environment of the host system, when it is determined to decrypt the encrypted multimedia data in the trusted execution environment, thereby decrypting the encrypted multimedia data in the trusted execution environment of the host system. The multimedia data is put into a shared memory, and an address pointer is transmitted by a trusted channel, after being encrypted, to the host system for decryption.
In the exemplary embodiment of the present disclosure, the sending of the encrypted multimedia data to the host system by means of the data pointer address encryption may include: processing an original value and a key of the data pointer address of the encrypted multimedia data by an encryption algorithm to obtain a cipher text; inserting a first verification code at a predetermined position of the cipher text to obtain a processed cipher text; sending the processed cipher text to the host system. Herein, when decrypting the encrypted multimedia data in the trusted execution environment of the host system, the host system decrypts the data pointer address of the encrypted multimedia data by the decryption algorithm to obtain a second verification code; matches the second verification code with the first verification code; and obtains the data pointer address of the encrypted multimedia data in a case of a successful match between the second verification code and the first verification code.
In step S105, decrypted multimedia data obtained by decryption by the host system is acquired, and the decrypted multimedia data is played back.
FIG. 2 illustrates a schematic diagram of the method multimedia playback for a virtual system according to an exemplary embodiment of the present disclosure.
As shown in FIG. 2, at step ①, a secure communication channel is established between the host system and the virtual system. The handle key and data pointer address of each module of the virtual system are encrypted, and the host system obtains the correct handle key and data pointer address by decryption, thereby further improving the security of inter-system data transmission protection.
At step ②, the host system performs authentication management on the access of the applications of the virtual system, authorizes the access of the applications that have been registered in the host system, and the whitelist data of the applications is saved in the trusted execution environment to prevent from being modified.
At step ③, the first digital rights management service DRM1 of the virtual system invokes the second digital rights management service DRM2 of the host system for authentication, and the second digital rights management service DRM2 downloads a certificate from a verification server, and the certificate is to be stored in the host system.
At step ④, the first digital rights management service DRM1 invokes the second digital rights management service DRM2 to generate a license file (license) request message and sends the message to the license file server to obtain the license file (license), and then processes the license file (license) according to the application security level requirements.
At step ⑤, the application downloads encrypted audio and video data from a media content server, determines whether to put the data into a trusted execution environment for decryption according to requirements of the application's usage scenario, and supports decryption of the same media file by using DRMs of digital rights management services with different security level requirements.
In step ⑥, the multimedia data is put into a shared memory, and an address pointer is transmitted through a trusted channel, after being encrypted, to the host system for decryption.
Data in each module of the virtual system can only be accessed by specified modules, for example, only the digital rights management service can obtain the correct pointer address of the virtual digital rights management data.
FIG. 3 illustrates a schematic diagram of enhancing inter-system data transfer protection based on trusted data channels according to an exemplary embodiment of the present disclosure.
As shown in FIG. 3, in phase ①, the virtual digital rights management service DRM generates a unique handle key (for encrypting or decrypting a data pointer address), then encrypts the key using a public certificate, sends the encryption key to the host digital rights management service DRM using a secure channel, and decrypts the handle key using a private key of a trusted execution environment.
In phase ②, the virtual digital rights management service DRM invokes the encryption module to encrypt the data pointer address with the key, and then sends the encrypted data pointer address to the host system's digital rights management service DRM.
In phase ③, the host digital rights management service DRM invokes the decryption module to decrypt the encrypted data pointer using the handle key to obtain a correct pointer address.
FIG. 4 illustrates a schematic diagram of data pointer address encryption according to an exemplary embodiment of the present disclosure. As shown in FIG. 4, the Context is a context of, for example, 64 bits (which may be generated by a key), the original value of the pointer and, for example, a 128-bit key are encrypted by an encryption algorithm to obtain a 64-bit cipher text, a verification code is inserted as a high bit of the pointer after truncation, and the value of the pointer is validated prior to the pointer being used.
FIG. 5 illustrates a schematic diagram of data pointer address decryption according to an exemplary embodiment of the present disclosure. As shown in FIG. 5, an incoming encrypted pointer is decrypted by a decryption algorithm to obtain a verification code, which is then compared with a verification code inserted in the pointer. If the verification codes are matched, a valid pointer can be obtained, and if they are not equal, the pointer is an invalid pointer.
FIG. 6 illustrates a schematic diagram of dynamically managing an application program of a virtual system using digital rights management of a host system, according to an exemplary embodiment of the present disclosure.
As shown in FIG. 6, at step 601, an application program ID is generated by performing hash processing on unique information identifying the identity of the application program, the application program ID is encrypted with a public certificate, and the encrypted application program ID is sent to the application management module of the host system.
At step 602, the application program management module decrypts the application program ID with a private certificate to obtain the application program ID.
At step 603, a list of application program IDs is queried.
At step 604, if the application program ID is invalid, the application will be denied to access to the host system's digital rights management service DRM; if the application program ID is valid, the host system's digital rights management service DRM can be used.
FIG. 7 illustrates a schematic diagram of performing authentication using digital rights management of a host system, according to an exemplary embodiment of the present disclosure. The virtual system cannot be authenticated without a legitimate token and needs to be authenticated using the host system's digital rights management service DRM.
As shown in FIG. 7, at step 701, the application program invokes the virtual digital rights management service DRM to initialize its host system's digital rights management service DRM.
At step 702, the virtual system sends a request for the host system digital rights management service DRM to authenticate.
At step 703, the host system's digital rights management service DRM obtains a legitimate token.
At step 704, the host system's digital rights management service DRM generates an authentication request message with the token and sends the authentication request to the server.
At step 705, the host system obtains the authentication certificate and stores it in the trusted execution environment.
FIG. 8 illustrates a flowchart of an operation method performed by a host system according to an exemplary embodiment of the present disclosure.
Referring to FIG. 8, in step S801, a secure communication channel is established between the host system and a virtual system.
In step S802, in response to receiving an access request from an application in the virtual system, the application is authenticated.
In the exemplary embodiment of the present disclosure, the authenticating of the application may include: determining whether the application is authorized to make an access; in a case of determining that the application is authorized to make an access, acquiring a certificate for authenticating the application, wherein the virtual system acquires a license file for acquiring the encrypted multimedia data based on the certificate, acquires the encrypted multimedia data based on the license file, and sends the encrypted multimedia data to the host system.
In step S803, in a case that the application is authenticated, the encrypted multimedia data is received based on the secure communication channel.
In the exemplary embodiment of the present disclosure, the method may further include: receiving a handle key and/or a data pointer address for decrypting the multimedia data based on the secure communication channel, wherein the handle key and/or the data pointer address for decrypting the multimedia data is in an encrypted state.
In step S804, the encrypted multimedia data is decrypted.
In the exemplary embodiment of the present disclosure, the decrypting of the encrypted multimedia data may include: decrypting the encrypted multimedia data in a trusted execution environment.
In the exemplary embodiment of the present disclosure, the decrypting of the encrypted multimedia data in a trusted execution environment may include: decrypting a data pointer address of the encrypted multimedia data by a decryption algorithm to obtain a second verification code; matching the second verification code with a first verification code; acquiring the data pointer address of the encrypted multimedia data in a case of successful matching of the second verification code with the first verification code.
With the method of multimedia playback for the host system in FIG. 8, it is enabled to request the playback of digital rights management resources with higher levels of security for copyright requirements in a virtual system, thus the strength of data protection is improved.
The method of multimedia playback for a virtual system, the operation method performed by a host system according to the exemplary embodiments of the present disclosure has been described above in conjunction with FIGS. 1-8. Hereinafter, the device of multimedia playback for a virtual system and the unit thereof, the operation device performed by a host system according to the exemplary embodiments of the present disclosure will be described with reference to FIG. 9.
FIG. 9 illustrates a block diagram of a device of multimedia playback for a virtual system according to an exemplary embodiment of the present disclosure.
Referring to FIG. 9, the device of multimedia playback for the virtual system includes a channel establishing unit 91, a license file acquiring unit 92, an encrypted data acquiring unit 93, a data decrypting unit 94, and a multimedia playing back unit 95.
The channel establishing unit 91 is configured to establish a secure communication channel between the virtual system and a host system.
The license file acquiring unit 92 is configured to acquire a license file for acquiring encrypted multimedia data in a case that an application in the virtual system requesting access to the host system passes authentication of the host system.
In the exemplary embodiment of the present disclosure, the license file acquiring unit 92 may be configured to determine, by the host system, whether the application is authorized for access by the host system in response to the application requesting access to the host system, in a case of determining that the application is authorized for the access by the host system, to acquire a certificate for authenticating the application by the host system, and to acquire the license file, in the case that the host system is determined to be authenticated based on the certificate.
In the exemplary embodiment of the present disclosure, the license file acquiring unit 92 may be configured to invoke a second digital rights management service of the host system by a first digital rights management service of the virtual system to acquire the certificate.
In the exemplary embodiment of the present disclosure, the license file acquiring unit 92 may be configured to determine that the application is authorized for access by the host system, in the event that the application is determined to be a predetermined application.
In the exemplary embodiment of the present disclosure, the license file acquiring unit 92 may be configured to download the certificate from an authentication server for authentication by invoking the second digital rights management service of the host system by the first digital rights management service of the virtual system.
In the exemplary embodiment of the present disclosure, the downloaded certificate is stored in the host system.
In the exemplary embodiment of the present disclosure, the license file acquiring unit 92 may be configured to invoke the second digital rights management service by the first digital rights management service to generate a license request message, and to send the license request message to a license server to obtain the license file.
The encrypted data acquiring unit 93 is configured to acquire the encrypted multimedia data based on the license file.
The data decrypting unit 94 is configured to send the encrypted multimedia data to the host system for decryption based on the secure communication channel.
In the exemplary embodiment of the present disclosure, the data decrypting unit 94 may be configured to send the encrypted multimedia data to the host system by means of data pointer address encryption in the secure communication channel.
In the exemplary embodiment of the present disclosure, the device may further include a sending unit (not shown), configured to send a handle key and/or a data pointer address for decrypting the multimedia data to the host system based on the secure communication channel, wherein the handle key and/or the data pointer address for decrypting the multimedia data is in an encrypted state.
The multimedia playing back unit 95 is configured to acquire decrypted multimedia data obtained by decryption by the host system, and playback the decrypted multimedia data.
In the exemplary embodiment of the present disclosure, the multimedia playing back unit 95 may be configured to determine whether to decrypt the encrypted multimedia data in a trusted execution environment, according to requirements of a usage scenario of the application, and to send the encrypted multimedia data to the host system for decrypting the encrypted multimedia data in the trusted execution environment of the host system, when it is determined to decrypt the encrypted multimedia data in the trusted execution environment.
In the exemplary embodiment of the present disclosure, the multimedia playing back unit 95 may be configured to process an original value and a key of the data pointer address of the encrypted multimedia data by an encryption algorithm to obtain a cipher text, to insert a first verification code at a predetermined position of the cipher text to obtain a processed cipher text, and to send the processed cipher text to the host system. Wherein, when decrypting the encrypted multimedia data in the trusted execution environment of the host system, the host system decrypts the data pointer address of the encrypted multimedia data by the decryption algorithm to obtain a second verification code, matches the second verification code with the first verification code, and obtains the data pointer address of the encrypted multimedia data in a case of a successful match between the second verification code and the first verification code.
FIG. 10 illustrates a block diagram of an operation device performed by a host system according to an exemplary embodiment of the present disclosure.
Referring to FIG. 10, the operation device performed by the host system includes a channel establishing unit 101, an authenticating unit 102, an encrypted data receiving unit 103, and a data decrypting unit 104.
The channel establishing unit 101 is configured to establish a secure communication channel between the host system and a virtual system.
The authenticating unit 102 is configured to, in response to receiving an access request from an application in the virtual system, authenticate the application.
In the exemplary embodiment of the present disclosure, the authenticating unit 102 may be configured to determine whether the application is authorized to make an access, to acquire a certificate for authenticating the application in a case of determining that the application is authorized to make an access, wherein the virtual system acquires a license file for acquiring the encrypted multimedia data based on the certificate, acquires the encrypted multimedia data based on the license file, and sends the encrypted multimedia data to the host system.
The encrypted data receiving unit 103 is configured to receive the encrypted multimedia data based on the secure communication channel in a case that the application is authenticated.
In the exemplary embodiment of the present disclosure, the device may further include a receiving unit (not shown), configured to receive a handle key and/or a data pointer address for decrypting the multimedia data based on the secure communication channel, wherein the handle key and/or the data pointer address for decrypting the multimedia data is in an encrypted state.
The data decrypting unit 104 is configured to decrypt the encrypted multimedia data.
In the exemplary embodiment of the present disclosure, the data decrypting unit 104 may be configured to decrypt the encrypted multimedia data in a trusted execution environment.
In the exemplary embodiment of the present disclosure, the data decrypting unit 104 may be configured to decrypt a data pointer address of the encrypted multimedia data by a decryption algorithm to obtain a second verification code, to match the second verification code with a first verification code, to acquire the data pointer address of the encrypted multimedia data in a case of successful matching of the second verification code with the first verification code.
In addition, according to the exemplary embodiments of the present disclosure, there also provides a computer-readable storage medium having a computer program stored thereon, and when the computer program is executed, a method of multimedia playback for a virtual system according to the exemplary embodiments of the present disclosure is implemented.
In the exemplary embodiments of the present disclosure, the computer-readable storage medium may carry one or more programs that, when executed, may implement the following steps: establishing a secure communication channel between the virtual system and a host system; acquiring a license file for acquiring encrypted multimedia data in a case that an application in the virtual system requesting access to the host system passes authentication of the host system; acquiring the encrypted multimedia data based on the license file; sending the encrypted multimedia data to the host system for decryption based on the secure communication channel; and acquiring decrypted multimedia data obtained by decryption by the host system, and playing back the decrypted multimedia data, thus it is possible to playback digital rights management resources with a higher level of security for copyright requirements in the virtual system by decrypting with the help of the host system, which improves the strength of data protection.
In the exemplary embodiments of the present disclosure, the computer-readable storage medium may carry one or more programs that, when executed, may implement the following steps: establishing a secure communication channel between the host system and a virtual system; in response to receiving an access request from an application in the virtual system, authenticating the application; receiving the encrypted multimedia data based on the secure communication channel in a case that the application is authenticated; decrypting the encrypted multimedia data.
The computer-readable storage medium can be, for example, but not limited to, an electrical, magnetic, optical, electromagnetic, infrared, or semiconductor system, apparatus or device, or any combination of the above. More specific examples of computer-readable storage medium may include, but are not limited to: electrical connections with one or more wires, portable computer disks, hard disks, random access memory (RAM), read only memory (ROM), erasable programmable read only memory (EPROM or flash memory), optical fiber, portable compact disk read only memory (CD-ROM), optical storage devices, magnetic storage devices, or any suitable combination of the above. In embodiments of the present disclosure, a computer-readable storage medium may be any tangible medium that contains or stores a computer program that can be used by or in conjunction with an instruction execution system, apparatus, or device. The computer program contained on the computer-readable storage medium may be transmitted using any appropriate medium, including but not limited to: wire, fiber optic cable, RF (radio frequency), etc., or any suitable combination of the above. The computer-readable storage medium may be included in any device; it may also exist alone without being incorporated into the device.
In addition, according to exemplary embodiments of the present disclosure, there also provides a computer program product, wherein instructions in the computer program product can be executed by a processor of the computer device to complete the method of multimedia playback for a virtual system according to the exemplary embodiments of the present disclosure.
The device of multimedia playback for a virtual system, and the operation device performed by a host system according to the exemplary embodiments of the present disclosure have been described above in conjunction with FIGs. 9 and 10. Next, a computing device according to the exemplary embodiment of the present disclosure will be described in conjunction with to FIG. 11.
FIG. 11 illustrates a schematic diagram of a computing device according to an exemplary embodiment of the present disclosure.
Referring to FIG. 11, a computing device 11 according to the exemplary embodiment of the present disclosure includes a memory 111 and a processor 112, and the memory 111 stores a computer program. When the computer program is executed by the processor 112, a method of multimedia playback for a virtual system according to the exemplary embodiments of the present disclosure is implemented.
In the exemplary embodiments of the present disclosure, when the computer program is executed by the processor 112, the following steps may be implemented: establishing a secure communication channel between the virtual system and a host system; acquiring a license file for acquiring encrypted multimedia data in a case that an application in the virtual system requesting access to the host system passes authentication of the host system; acquiring the encrypted multimedia data based on the license file; sending the encrypted multimedia data to the host system for decryption based on the secure communication channel; and acquiring decrypted multimedia data obtained by decryption by the host system, and playing back the decrypted multimedia data, thus it is possible to playback digital rights management resources with a higher level of security for copyright requirements in the virtual system by decrypting with the help of the host system, which improves the strength of data protection.
In the exemplary embodiments of the present disclosure, when the computer program is executed by the processor 112, the following steps may be implemented: establishing a secure communication channel between the host system and a virtual system; in response to receiving an access request from an application in the virtual system, authenticating the application; receiving the encrypted multimedia data based on the secure communication channel in a case that the application is authenticated; decrypting the encrypted multimedia data.
The computing device in embodiments of the present disclosure may include, but are not limited to, devices such as mobile phones, notebook computers, PDAs (personal digital assistants), PADs (tablet computers), desktop computers, and the like. The computing device shown in FIG. 11 is only an example, and should not impose any limitation on the function and scope of use of the embodiments of the present disclosure.
The method and device of multimedia playback for a virtual system, and the operation method and device performed by a host system according to the exemplary embodiments of the present disclosure have been described above with reference to FIGs. 1-11. However, it should be understood: the method of multimedia playback for a virtual system and the unit thereof and the operation method performed by a host system shown in FIGs. 9 and 10 may be respectively configured as software, hardware, firmware or any combination of the above to perform specific functions, and the computing device shown in FIG. 11 is not limited to including the above shown components, but some components may be added or deleted according to needs, and the above components may also be combined.
The method and the device of multimedia playback for a virtual system according to the exemplary embodiments of the present disclosure, by establishing a secure communication channel between the virtual system and a host system, acquiring a license file for acquiring encrypted multimedia data in a case that an application in the virtual system requesting access to the host system passes authentication of the host system, acquiring the encrypted multimedia data based on the license file; sending the encrypted multimedia data to the host system for decryption based on the secure communication channel, and acquiring decrypted multimedia data obtained by decryption by the host system, and playing back the decrypted multimedia data, thus it is possible to playback digital rights management resources with a higher level of security for copyright requirements in the virtual system by decrypting with the help of the host system, which improves the strength of data protection.
In addition, the method and the device of multimedia playback for a virtual system according to the exemplary embodiments of the present disclosure, improves the strength of data protection without affecting performance by using an inter-module or inter-system encryption protection scheme.
In addition, the method and the device of multimedia playback for a virtual system according to the exemplary embodiments of the present disclosure can support the playback of multimedia content with multiple security levels, which improves the overall decryption performance of the multimedia, and can increase audio processing scenarios.
In addition, the method and the device of multimedia playback for a virtual system according to the exemplary embodiments of the present disclosure may further dynamically manage applications of the virtual system to prevent malicious applications from occupying limited digital rights management resources; reuse the host system digital rights management authentication to make the digital rights management of the virtual system usable; and, because the trusted execution environment is based on the hardware environment of the host system, there is no need to separately develop and assign the virtual system with a trusted execution environment.
In addition, the method and the device of multimedia playback for a virtual system according to the exemplary embodiments of the present disclosure may support all scenarios in which the virtual system requires a trusted execution environment, such as, but not limited to, a digital wallet, a fingerprint payment, an authentication, and the like.
Furthermore, the method and the device of multimedia playback for a virtual system according to the exemplary embodiments of the present disclosure may be used not only in virtual machines based on containerization technology, but also in virtual machines based on other technologies.
In addition, the method and the device of multimedia playback for a virtual system according to the exemplary embodiments of the present disclosure are not only limited to be used in digital rights management media resources with high copyright requirements, but may also be applied in virtual machines that require trusted execution environments to support high-level security scenarios, such as digital wallets, payment authentication, identity verification, and the like.
The operation method performed by a host system according to the exemplary embodiments of the present disclosure, by establishing a secure communication channel between the host system and a virtual system, authenticating the application in response to receiving an access request from an application in the virtual system, receiving the encrypted multimedia data based on the secure communication channel in a case that the application is authenticated, decrypting the encrypted multimedia data, it enables the playback of digital rights management resources with higher levels of security for copyright requirements in a virtual system, thereby increasing the strength of data protection.
Although the present disclosure has been specifically shown and described with reference to the exemplary embodiments thereof, those skilled in the art should understand that various changes of the forms and details can be made without departing from the spirit and scope of the present disclosure as defined by the claims.

Claims (15)

  1. A method of multimedia playback for a virtual system, comprising:
    establishing a secure communication channel between the virtual system and a host system;
    acquiring a license file for acquiring encrypted multimedia data in a case that an application in the virtual system requesting access to the host system passes authentication of the host system;
    acquiring the encrypted multimedia data based on the license file;
    sending the encrypted multimedia data to the host system for decryption based on the secure communication channel; and
    acquiring decrypted multimedia data obtained by decryption by the host system, and playing back the decrypted multimedia data.
  2. The method according to claim 1, wherein the acquiring of the license file for acquiring the encrypted multimedia data in the case that the application in the virtual system requesting access to the host system passes the authentication of the host system comprises:
    in response to the application requesting access to the host system, determining, by the host system, whether the application is authorized for access by the host system;
    in a case of determining that the application is authorized for the access by the host system, acquiring a certificate for authenticating the application by the host system;
    acquiring the license file, in the case that the host system is determined to be authenticated based on the certificate.
  3. The method according to claim 2, wherein the acquiring of the certificate comprises:
    invoking a second digital rights management service of the host system by a first digital rights management service of the virtual system to acquire the certificate.
  4. The method according to claim 2, wherein the sending of the encrypted multimedia data to the host system for decryption based on the secure communication channel comprises:
    sending the encrypted multimedia data to the host system by means of data pointer address encryption in the secure communication channel.
  5. The method according to claim 3, wherein the invoking of the second digital rights management service of the host system by the first digital rights management service of the virtual system to acquire the certificate comprises:
    downloading the certificate from an authentication server for authentication by invoking the second digital rights management service of the host system by the first digital rights management service of the virtual system, wherein the downloaded certificate is stored in the host system.
  6. The method according to claim 2, wherein the acquiring of the license file comprises:
    invoking the second digital rights management service by the first digital rights management service to generate a license request message, and sending the license request message to a license server to obtain the license file.
  7. The method according to claim 1, wherein the sending of the encrypted multimedia data to the host system for decryption based on the secure communication channel comprises:
    determining whether to decrypt the encrypted multimedia data in a trusted execution environment, according to requirements of a usage scenario of the application;
    sending the encrypted multimedia data to the host system for decrypting the encrypted multimedia data in the trusted execution environment of the host system, when it is determined to decrypt the encrypted multimedia data in the trusted execution environment.
  8. The method according to claim 1, further comprising:
    sending a handle key and/or a data pointer address for decrypting the multimedia data to the host system based on the secure communication channel, wherein the handle key and/or the data pointer address for decrypting the multimedia data is in an encrypted state.
  9. The method according to claim 4, wherein the sending of the encrypted multimedia data to the host system by means of the data pointer address encryption comprises:
    processing an original value and a key of the data pointer address of the encrypted multimedia data by an encryption algorithm to obtain a cipher text;
    inserting a first verification code at a predetermined position of the cipher text to obtain a processed cipher text;
    sending the processed cipher text to the host system,
    wherein, when decrypting the encrypted multimedia data in the trusted execution environment of the host system, the host system decrypts the data pointer address of the encrypted multimedia data by the decryption algorithm to obtain a second verification code; matches the second verification code with the first verification code; and obtains the data pointer address of the encrypted multimedia data in a case of a successful match between the second verification code and the first verification code.
  10. An operation method performed by a host system comprising:
    establishing a secure communication channel between the host system and a virtual system;
    in response to receiving an access request from an application in the virtual system, authenticating the application;
    receiving the encrypted multimedia data based on the secure communication channel in a case that the application is authenticated;
    decrypting the encrypted multimedia data.
  11. The method according to claim 10, wherein the authenticating of the application comprises:
    determining whether the application is authorized to make an access;
    in a case of determining that the application is authorized to make an access, acquiring a certificate for authenticating the application, wherein the virtual system acquires a license file for acquiring the encrypted multimedia data based on the certificate, acquires the encrypted multimedia data based on the license file, and sends the encrypted multimedia data to the host system.
  12. The method according to claim 10, wherein the decrypting of the encrypted multimedia data comprises: decrypting the encrypted multimedia data in a trusted execution environment.
  13. The method according to claim 12, wherein the decrypting of the encrypted multimedia data in a trusted execution environment comprises:
    decrypting a data pointer address of the encrypted multimedia data by a decryption algorithm to obtain a second verification code;
    matching the second verification code with a first verification code;
    acquiring the data pointer address of the encrypted multimedia data in a case of successful matching of the second verification code with the first verification code.
  14. The method according to claim 10, further comprising:
    receiving a handle key and/or a data pointer address for decrypting the multimedia data based on the secure communication channel, wherein the handle key and/or the data pointer address for decrypting the multimedia data is in an encrypted state.
  15. A device of multimedia playback for a virtual system, comprising:
    a channel establishing unit configured to establish a secure communication channel between the virtual system and a host system;
    a license file acquiring unit configured to acquire a license file for acquiring encrypted multimedia data in a case that an application in the virtual system requesting access to the host system passes authentication of the host system;
    an encrypted data acquiring unit configured to acquire the encrypted multimedia data based on the license file;
    a data decrypting unit configured to send the encrypted multimedia data to the host system for decryption based on the secure communication channel; and
    a multimedia playing back unit configured to acquire decrypted multimedia data obtained by decryption by the host system, and playback the decrypted multimedia data.
PCT/KR2024/006501 2023-06-29 2024-05-13 Method and device of multimedia playback for virtual system Pending WO2025005456A1 (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
US19/297,450 US20250373452A1 (en) 2023-06-29 2025-08-12 Method and device of multimedia playback for virtual system

Applications Claiming Priority (2)

Application Number Priority Date Filing Date Title
CN202310794669.1 2023-06-29
CN202310794669.1A CN116962845A (en) 2023-06-29 2023-06-29 Multimedia playback method and device for virtual system

Related Child Applications (1)

Application Number Title Priority Date Filing Date
US19/297,450 Continuation US20250373452A1 (en) 2023-06-29 2025-08-12 Method and device of multimedia playback for virtual system

Publications (1)

Publication Number Publication Date
WO2025005456A1 true WO2025005456A1 (en) 2025-01-02

Family

ID=88454007

Family Applications (1)

Application Number Title Priority Date Filing Date
PCT/KR2024/006501 Pending WO2025005456A1 (en) 2023-06-29 2024-05-13 Method and device of multimedia playback for virtual system

Country Status (3)

Country Link
US (1) US20250373452A1 (en)
CN (1) CN116962845A (en)
WO (1) WO2025005456A1 (en)

Families Citing this family (1)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN116962845A (en) * 2023-06-29 2023-10-27 三星电子(中国)研发中心 Multimedia playback method and device for virtual system

Citations (6)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
KR101550661B1 (en) * 2014-04-18 2015-09-07 비비엠씨 (주) Mobile streaming system and mobile terminal
US20160360282A1 (en) * 2015-01-27 2016-12-08 Charter Communications Operating, Llc System and method of content streaming and downloading
US9529978B2 (en) * 2013-08-28 2016-12-27 Chung Jong Lee Cloud E-DRM system and service method thereof
JP2021052297A (en) * 2019-09-25 2021-04-01 株式会社コルグ Reproduction control device, reproduction control method, and program
US20210136431A1 (en) * 2015-09-11 2021-05-06 Activevideo Networks, Inc. Secure Bridging of Third-Party Digital Rights Management to Local Security
CN116962845A (en) * 2023-06-29 2023-10-27 三星电子(中国)研发中心 Multimedia playback method and device for virtual system

Patent Citations (6)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US9529978B2 (en) * 2013-08-28 2016-12-27 Chung Jong Lee Cloud E-DRM system and service method thereof
KR101550661B1 (en) * 2014-04-18 2015-09-07 비비엠씨 (주) Mobile streaming system and mobile terminal
US20160360282A1 (en) * 2015-01-27 2016-12-08 Charter Communications Operating, Llc System and method of content streaming and downloading
US20210136431A1 (en) * 2015-09-11 2021-05-06 Activevideo Networks, Inc. Secure Bridging of Third-Party Digital Rights Management to Local Security
JP2021052297A (en) * 2019-09-25 2021-04-01 株式会社コルグ Reproduction control device, reproduction control method, and program
CN116962845A (en) * 2023-06-29 2023-10-27 三星电子(中国)研发中心 Multimedia playback method and device for virtual system

Also Published As

Publication number Publication date
CN116962845A (en) 2023-10-27
US20250373452A1 (en) 2025-12-04

Similar Documents

Publication Publication Date Title
WO2013122443A1 (en) Method and apparatus for protecting digital content using device authentication
WO2014119936A1 (en) Method of and apparatus for processing software using hash function to secure software, and computer-readable medium storing executable instructions for performing the method
CN105095696B (en) Method, system and the equipment of safety certification are carried out to application program
WO2014092511A1 (en) Method and apparatus for protecting an application program
US20140380503A1 (en) Program execution device
WO2014175538A1 (en) Apparatus for providing puf-based hardware otp and method for authenticating 2-factor using same
WO2013191325A1 (en) Method for authenticating trusted platform-based open id, and apparatus and system therefor
WO2021112603A1 (en) Method and electronic device for managing digital keys
WO2019132272A1 (en) Id as blockchain based service
WO2016064041A1 (en) User terminal using hash value to detect whether application program has been tampered and method for tamper detection using the user terminal
WO2014193058A1 (en) Device and method for providing security in remote digital forensic environment
WO2025005456A1 (en) Method and device of multimedia playback for virtual system
WO2017016272A1 (en) Method, apparatus and system for processing virtual resource data
WO2012138098A2 (en) Method, host, storage, and machine-readable storage medium for protecting content
WO2020032351A1 (en) Method for establishing anonymous digital identity
WO2020111517A1 (en) Server and method for identifying integrity of application
WO2023191216A1 (en) Data encryption and decryption system and method
CN116502189A (en) Software authorization method, system, device and storage medium
WO2020096180A1 (en) Method for confirming indication of intent which is capable of ensuring anonymity and preventing sybil attacks, and method for registering and authenticating identification information storage module
WO2016064040A1 (en) User terminal using signature information to detect whether application program has been tampered and method for tamper detection using the user terminal
WO2022085874A1 (en) Electronic apparatus and controlling method thereof
WO2013009120A2 (en) Mobile communication terminal and apparatus and method for authenticating applications
WO2019017544A1 (en) User authentication service provision method, web server, and user terminal
WO2013125883A1 (en) Drm/cas service device and method using security context
WO2022119387A1 (en) Method, electronic device and server for performing user authentication

Legal Events

Date Code Title Description
121 Ep: the epo has been informed by wipo that ep was designated in this application

Ref document number: 24832240

Country of ref document: EP

Kind code of ref document: A1